Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In recent days, news and government Web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. Facts: 1. There are botnet attacks against .ge websites. 2. These attacks affect the .ge Internet infrastructure, but it's reachable. 3. It doesn't seem Internet infrastructure is directly attacked. 4. Every other political tension in the past 10 years, from a comic of the Prophet Muhammad to the war in Iraq, were followed by online supporters attacking targets which seem affiliated with the opposing side, and vice-versa. Up to the Estonian war, such attacks would be called "hacker enthusiast attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a political nature seems to get the "information warfare" tag. When 300 Lithuanian web sites were defaced last month, "cyber war" was the buzzword. Running security for the Israeli government Internet operation and later the Israeli government CERT such attacks were routine, and just by speaking on them in the local news outlets I started bigger so-called "wars" when enthusiasts responded in the story comments and then attacks the "other side". Not every fighting is warfare. While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online after-math by fans. Political tensions are always followed by online attacks by sympathizers. Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically. Coulda, shoulda — the nature of what's going on isn't clear, but until we are certain anything state-sponsored is happening on the Internet it is my official opinion this is not warfare, but just some unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters. It is too early to say for sure what this is and who is behind it. The RBN blog (following the Russian Business Network) is of a different opinion: http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html and: http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html Also, Renesys has been following the situation and provides with some data: http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml (Thanks to Paul Ferguson for the URLs) DDoS attacks harm the Internet itself rather than just this or that web site, so soon this may require some of us in the Internet security operations community getting involved in mitigating the attacks, if they don't just drop on their own. Gadi Evron. ["You don't need your firewalls! Gadi is Israel's firewall." — Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprecation quotes, time to even things up!)] http://www.linkedin.com/in/gadievron [There were a lot of lessons that should have been learned from the Estonian DDoS attacks that still remain to be learned. PGN]
This is an update of my previous post on the subject. To be honest here, no one truly knows what's going on in Georgia's Internet except for what can be glimpsed from outside, and what has been written by the Georgians on their blog (http://georgiamfa.blogspot.com/2008/08/cyber-attacks-disable-georgian-websites.html outside their country). They are probably a bit busy avoiding kinetic bombing. As mentioned in the previous post, Renesys has been following the Georgian links, which seem to be there, but occasionally drop due to possibly power failures. Renesys URL here: http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml Shadowserver and others have been following the botnets attacking the Georgians web sites, and that is confirmed as happening. Shadowserver was quoted, here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112399&intsrc=hm_list According to Dancho Danchev, there have also been some defacements, which he describes here, along with other conclusions I don't necessarily agree with: http://blogs.zdnet.com/security/?p=1670 So--it is clear their web sites are under attack, and that Internet visibility-wise, the impact is real for the Georgians. And yet, it is simply too early and there is not enough information to call this an Internet war. It is too early to establish motive or who the perpetrator is, however much we may want to point fingers. Following every and any political or ethnic tension, world-wide, an online aftermath comes, in the form of attacks, defacements, and enthusiast hackers swearing at the other side (which soon does the same, back). While Georgia's suffering is real, such attacks are nothing but routine here in Israel. When I ran the defense for the Israeli government Internet operation and then the Israeli government CERT, such attacks would occur daily. Hackers on the other side would band together, talk, coordinate a date, exchange tools, and attack. While I apologize for the analogy, post-9/11 Israelis were shocked. We were sympathizing and crying for the victims. What we did not understand was why people were still shocked ten minutes past, as this was a normal every-day life happening for us over here. The same applies for cyber-space, the Internet--we are used to this. The difference in this attack was that the Georgian authorities, like numerous others around the world still aren't, were not prepared to face and fend against such an attack. In my article "Fighting Botnets and Online Mobs" for the Georgetown Journal of International Affairs covering the Internet war in Estonia, I state how our opponents will no longer be just countries, or even organizations as Martin van Creveld once predicted ahead of his time, but that on the Internet playing field any individual or loosely affiliated group can be a player, affecting countries and yes, corporations as well. My article can be found here: http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf The best article describing the events so far is by John Markoff at *The New York Times*. http://www.nytimes.com/2008/08/13/technology/13cyber.html?em Gadi Evron.
*The New York Times* reports that in the "hot war" currently going on between Russia and Georgia, cyberwarfare appears to have broken out as well: > Neither side showed any indication of backing down. Prime Minister > Vladimir V. Putin of Russia declared that "war has started," and President > Mikheil Saakashvili of Georgia accused Russia of a "well-planned invasion" > and mobilized Georgia's military reserves. There were signs as well of a > cyberwarfare campaign, as Georgian government Web sites were crashing > intermittently during the day. <http://www.nytimes.com/2008/08/09/world/europe/09georgia.html>
Evgeniy Polyakov has demonstrated that the emergency patch to the Domain Name System for the vulnerability noted by Dan Kaminsky (RISKS-25.25) is itself flawed and relatively easily exploited. [Source: John Markoff, *The New York Times*, 9 Aug 2008, B1 (National Edition); PGN-ed]
Bad decision by the Judge djf [Boston's Charlie Card vulnerability. Note that the student's paper explicitly does not reveal the key details of the vulnerability. Another example of shooting the messenger rather than getting to the root of the problems. PGN] Begin forwarded message: From: EFF Press <email@example.com> Date: August 9, 2008 5:14:30 PM EDT To: firstname.lastname@example.org Subject: [E-B] EFF: MIT Students Gagged by Federal Court Judge Reply-To: email@example.com Electronic Frontier Foundation Media Release For Immediate Release: Saturday, August 09, 2008 Contact: Jennifer Stisa Granick Civil Liberties Director Electronic Frontier Foundation firstname.lastname@example.org +1 415 271-4879 Marcia Hofmann Staff Attorney Electronic Frontier Foundation email@example.com +1 415 436-9333 x116 Rebecca Jeschke Media Coordinator Electronic Frontier Foundation firstname.lastname@example.org +1 415 436-9333 x125 MIT Students Gagged by Federal Court Judge EFF Backs Researchers Forced to Cancel Presentation on Transit Fare Payment System Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. The Electronic Frontier Foundation (EFF) represents Zack Anderson, RJ Ryan and Alessandro Chiesa, who were set to present their findings Sunday at DEFCON, a security conference held in Las Vegas. However, the Massachusetts Bay Transit Authority (MBTA) sued the students and MIT in United States District Court in Massachusetts on Friday, claiming that the students violated the Computer Fraud and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of transit fares. This morning District Judge Douglas P. Woodlock, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides. "We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes," said Anderson. "We're disappointed that the court is preventing us from presenting our findings even with this safeguard." Vulnerabilities in magnetic stripe and RFID card payment systems implemented by many urban transit systems are generally known. The student research applied this information to the specific case of Boston's Charlie Card and Charlie Ticket, and the project earned an A from renowned computer scientist and MIT professor Dr. Ron Rivest. The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a "transmission" of a computer program that could harm the fare collection system. "The court's order is an illegal prior restraint on legitimate academic research in violation of the First Amendment," said EFF Civil Liberties Director Jennifer Granick. "The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion. Security and the public interest benefit immensely from the free flow of ideas and information on vulnerabilities. More importantly, squelching research and scientific discussion won't stop the attackers. It will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes." This case is part of EFF's Coders' Rights Project, launched just this week to protect programmers and developers from legal threats hampering their cutting-edge research. EFF will seek relief for the researchers in the courts. For the full temporary restraining order: http://www.eff.org/files/filenode/MIT%20students%20TRO.pdf For more on the Coders' Rights Project: http://www.eff.org/issues/coders For this release: http://www.eff.org/press/archives/2008/08/09 About EFF The Electronic Frontier Foundation is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression and privacy online. EFF is a member-supported organization and maintains one of the most linked-to websites in the world at http://www.eff.org/
A few media sources seem to be picking up a press release from the University of Michigan. http://www.ns.umich.edu/htdocs/releases/story.php?id=6666 This reports on "CloudAV," a project and series of papers about having antivirus detection run "in the cloud" rather than on the PC. http://www.eecs.umich.edu/fjgroup/cloudav/ As usual, there seems to be some misunderstanding about what is going on here. CloudAV is not really a new approach, it is simply the use of multiple scanners, which the AV research community has advocated for years. It's like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems). email@example.com firstname.lastname@example.org victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
Here are two items from the readers' queries feature in the travel section of the weekend newspaper recently (don't know if they're in the on-line version, but it's http://www.telegraph.co.uk/travelexperts , Aug 2 & 9): * A reader wrote about booking 3 air tickets on-line for himself and two other people via the airline's web site, and ended up with three tickets with his own name on them, which cost a small fortune to correct. This was suggested as being due to the `autofill' function of his web browser (it didn't say which one), and also returning to a previous stage of the booking process with the browser back arrow rather than the `Back' link on the web page. The airline was quoted as saying that it can't disable or detect this as an error (unlike, say, an empty name field), so it's the customers' responsibility to check when entering data. * In the UK, passports last for 10 years, but they can be renewed slightly before they expire, with the unused period transferred to the new one (thus allowing you to renew your passport in good time without losing part of its validity period), hence it's possible to have a passport with an expiry date just over 10 years in the future. A reader comments that the US Electronic System for Travel Authorisation application site at https://esta.cbp.dhs.gov didn't accept his passport because it was valid for more than 10 years. Response was that the Department for Homeland Security claims to have fixed this, but as the on-line permit is compulsory from next year, it may be something to be aware of.
I have been watching with increasing puzzlement the security theater about "electronic passports", and I still cannot figure out what it is that the system is supposed to accomplish. It seems to me that it is going backwards. Indeed, the world has changed since the traditional passport system was established. The traditional passport relies on "secure paper" technology: Textile paper with watermarks was considered to be too difficult to fake. Modern printers can create something that looks close enough to fool a quick look. It seems to me that the response to this would be to take advantage of Internet technology: One should no longer trust the passport, but use only the embedded barcode or OCR digit string to furnish a record identifier and then pull the passport information from the issuing agency's database. Then a forged paper passport would be worthless at border crossings. Instead, we have replaced the reliance on "secure paper" with a reliance on "secure silicon", even though it should be obvious to anyone that a writable memory chip can be reprogrammed in the field ... indeed the standard method of deployment of the genuine instrument relies on this property. Any digital signing on the chip to ensure that it has not been altered requires a functioning network link to the issuer's database. And with that link, the chip is unnecessary. I know that I am not so smart that I have figured out something that all the experts have overlooked, so I must be missing something critical. What have I overlooked? Lars Poulsen, Afar Communications Inc
It's worth noting — repeating, actually — that border searches of laptops are not restricted to the US. See, for example, http://news.bbc.co.uk/1/hi/sci/tech/150465.stm which reports on British policy. Also note the date: 1998. I have a different question: which developed economies have explicit policies saying that they will not search (the information on) laptops? Steve Bellovin, http://www.cs.columbia.edu/~smb
The worst features of this are that IF you have done the smart thing and used strong encryption to protect your data, the Customs agent will be MORE likely to take away your entire laptop for examination... and he will take your entire laptop, not just the hard drive out of it. In effect, you have no Fourth or Fifth Amendment rights when crossing the border into the US. Must scare the living bejusus out of most corporate counsel and CIO guys. As for me, the next time I cross the border with my laptop, it will have an entirely brand spanking new Fedora install on the laptop's original (small) hard drive with not one single piece of important data.
GPS caused nothing there, no computer risks involved. The risk is for people travel in wild places with no clue about what they are about to experience. They blamed the GPS because they had to to find an excuse for their ignorance and stupidity. They were lucky that they got away with just embarrassment, others with a similar attitude have paid with their life.
I've long been a critic of DNA matches — seems it's always being presented as an almost "sure thing". I always said that when the database got large enough they'd start having problems. Well, a recent article has caused me to analyze the probabilities. It's quite eye-opening when you understand how it really works. You always hear of one-in-million or billion chances but it would seem, by simple analysis, that this is not true, and would certainly explain why the FBI is fighting against people being able to do studies such as are quoted in this article. But you really don't need to do any studies. That statistics are pretty simple. For those of you who are computer-wise, DNA matching is apparently a binary coded system. "9 loci" matches are frequently used to find matches. I don't know where the numbers come from that I hear in the court cases...but this is how it quite apparently works. As the article below pointed out — they found 122 matches in the Arizona database of 65,000 where there was a 9-loci or more match. This very closely matches the following table that I calculated based on simple binary probabilities showing # of loci, cumulative probability, and resulting number of average matches expected at each loci match level: 1 0,5 32500 2 0,25 8125 3 0,125 4063 4 0,0625 2031 5 0,03125 1016 6 0,015625 508 7 0,007813 254 8 0,003906 127 9 0,001953 63 10 0,000977 32 11 0,000488 16 12 0,000244 8 9 loci or better" numbers gives you 63 likely matches — The 122 in the study may well be due to the lack of independence — e.g.. relatives and the distribution of the actual DNA samples (which one would have to do a study to find out). Given the current U.S. population of 305 million then, how many matches would there be in the U.S.? At 9 loci or more you would expect 595,703 matches. Proof beyond doubt? Hardly. At 12 loci it would be 74,463 and at 13 loci 37,231. This is why DNA evidence alone is NOT a sure thing and should never be used as the sole evidence in a case. So the next question would be — if I already have a suspect and his DNA matches — how good is that? That question is simply, "what are the odds that a specific DNA sample will match somebody else in the database?" For the U.S. population that turns out to be 1-in-546 or a 99.82% match at 9 loci and 1-in-8192 at 12 loci or a 99.99% match. As a juror I don't think I would see much difference between 99.82% and 99.9988%. And stating it as 1-in-8192 puts a whole different spin on 99.99%. DNA can be used to EXCLUDE beyond any doubt. But it cannot be used to INCLUDE beyond any doubt. Question being what is "reasonable doubt" statistically? As a defense lawyer you might be able to say "in this city of 65,000 alone there are approximately 122 people with the same DNA profile as my client" — that would be the 9-loci case — or "8 people' at 12 loci. That sounds like reasonable doubt to me and would make me completely discount the DNA evidence. Without other supporting evidence I would never convict somebody on DNA alone.
The controversy arises here because this situation is analogous to the well known Birthday Problem (sometimes called the Birthday Paradox), which is the difference between the following two questions: Q1: How many people do I have to invite to a party before the probability that two of the guests have the same birthday exceeds 99%? A1: 57. Q2: How many people do I have to invite to a party before the probability that one of the guests has the same birthday as me exceeds 99%? A2: 1679. Another way to look at it: If I invite 57 people to my party, there is a 99% chance that two guests will have the same birthday, but a less than 15% chance that one of the guests will have the same birthday as me. * From the description in the news stories, Troyer was asking question 1. During criminal investigations, investigators ask question 2.
In our travels, work, school, home, we may have need of multiple different locations from which to access various Internet services, but probably not simultaneously. Those different PCs can often have different default settings and configurations. I recently was working in part of the flooded Midwest, where many business sites without phones, fax, Internet service etc. so I was using computer at motel to catch up on e-mail etc. The computer in hotel lobby was shared by 200 hotel room guests, on first come first served basis. Important to log out each day, maybe change password daily, because unknown what gets saved on that PC cache. I found where one guest had created a folder with particulars about managing their bank accounts, still logged on. Every guest could access every other guest stuff because it was one password for all of us. I figure this kind of infrastructure is magnet for spyware. For decades in offices where people share some network of data bases, it has been productive to concurrently open multiple sessions ... some updating or entering data, others inquiring into various aspects of the data entry, more related to coping with interruptions. It is nice that at an instant's need, yet another session can be opened to look at the data a different way or to pursue a different interest. But at end of day, time to go home, it is also easy to forget about a session opened hours ago & interrupted by interruptions forgot it was open. This could be at one workstation with 8 sessions open, or multiple work stations, as some persons patrolled a building, dealing with situations, signing onto the most convenient location. I railed without success at the network configurators to add an icon showing number of sessions you are currently signed on at, a number you want to wind down to zero when you done for the day.
Please report problems with the web pages to the maintainer